Platform
Security & Data Handling
How Odoo Doctor stores, processes, and protects your data. Understand what data we collect, how files are handled, and your privacy controls.
Data we store
- Account data — Name, email, hashed password, plan, role.
- Analysis reports — JSON reports generated by each tool. These contain AI output and metadata (module names, error summaries, detected versions). Source code is not stored in reports.
- Chat messages — Follow-up assistant messages stored with the analysis record.
- Usage analytics — Feature usage events for quota tracking and admin insights.
Data we do NOT store
- Your Odoo database credentials or connection strings
- Your Odoo instance data or database contents
- Uploaded ZIP files — extracted to temp directory, analyzed, then deleted
- Payment information — handled entirely by Lemon Squeezy
File handling
Uploaded ZIP files follow this process:
- Received in memory
- Extracted to a temporary directory
- Analyzed (manifest read, module structure inspected)
- Temporary directory is deleted immediately after analysis
Only the analysis report (JSON with summaries and findings) is saved to the database — not the source code files themselves.
AI processing
- Error text and document content are sent to the configured AI provider for analysis.
- AI prompts include your input text, selected Odoo version/edition, and additional context you provide.
- AI is not used to scan uploaded source code during Migration Audits — those use static rule-based analysis.
- You can configure your own AI provider via environment variables (
AI_API_KEY,AI_BASE_URL,AI_MODEL). - AI providers may process data according to their own privacy policies.
Data retention
Analysis history is retained according to your plan:
- Free — 7 days
- Pro — 90 days
- Team — 365 days
- Agency — 730 days
Honest note on retention
Automated cleanup of expired analysis data is not yet implemented. You can manually delete analyses at any time from the History page. Deleted items are removed immediately and permanently.
Authentication
- Passwords are hashed using bcrypt (12 rounds) and never stored in plain text.
- Session management uses NextAuth.js with JWT tokens.
- Password reset tokens are hashed and expire after a set period.
Access control
- All analysis data is scoped to your user account and workspace.
- Workspace members can access shared analyses within their workspace.
- Admin users can view usage statistics but cannot access individual analysis content.
Hosting
Odoo Doctor is self-hosted. You control the database, file storage, and AI provider configuration. No third-party analytics or tracking services are integrated.
Billing & payment security
Payments are processed by Lemon Squeezy. Odoo Doctor never receives, stores, or processes your credit card information. Subscription data (plan, status, subscription ID) is synced via webhooks.